ABC is a new multi-national Management Consulting Firm with headquarters in US. ABC manages all off-site and on-site consulting activities with a core 1000 staff member. ABC has branch offices at ten locations all over the world. Amongst its clientele are software companies, oil exploration and drilling companies, hospitality, insurance and banking corporations. ABC conducts a critical analysis of its current management practices and seeks suggestions for the creation of management practices for identification, response and monitoring anomalous behavior, or interference into the company’s information technology and operation. We conduct comprehensive current practices with respect to “Risk Assessment and Risk Management,” “Backups and Business Continuity Planning,” “Disaster Recovery Planning,” “Information Assurance Future,” “Computer Incident” Response Teams “make the networks more reliable and less vulnerable to external attack.
Risk Assessment and Risk Management
They perform an overview of the company’s current risk assessment and risk management strategies. Risk recognition is the first step in Managing Risk. Risk assessment follows and is important for all activities related to risk management. Prioritization and risk control follow on from recognition. Risk evaluation measures the understanding of security risks to an enterprise, its processes and function. It is defined by Ahrens et al as the process of evaluating security-related risks to an organisation, its assets, or personnel from internal and external threats. The Risk Assessment in the a company depends upon two factors. One is the source of risk which can be quantified and the other is the likelihood of its occurrence. Generally, the Risk is calculated as the multiplication factor of the two.
The second most important factor in Risk Assessment is the probability of occurrence of a risk. Since all the branches are located in different geographical regions in one time-zone, the risk perception of natural calamities is different. The probable natural calamities like floods, earthquakes, volcanoes, hurricanes, and striking of lightening are different. Other than that there are hazards of fire, sabotage and terrorism. All offices use fire resistant material in the interiors. Fire safety norms are followed and in the eventuality of fire the staff is trained to extinguish it keeping the risk to the minimum.
The Risk Management Committee used the Probability and Risk graph to pinpoint those risks that have the chance to create maximum loss. To cite an example, although earthquake has the potential to destroy the buildings but since the office is located in an area where there are has been occurrence of no major earthquake in the past few hundred years, the probability of the earthquake and the hence the risk associated with it decreases. On the other hand, fire hazard is given the topmost agenda although the fire-fighting equipment, fire gears and guaranteed immediate help from the Fire Department helps to mitigate the risk. The Risk is assessed and given priority according to its supposed damage and probability of probability of its occurrence. The practical value of the analysis of loss risk depends on the ability and thoroughness with which the underlying risks are defined for an organization. This is the first and most important step throughout the whole process. Each aspect of the under review enterprise or facility must be analyzed to isolate those circumstances, activities, and relationships which may result in loss. The analyst must take into account the dynamic nature of the business at every change and between daylight and darkness for an accurate analysis. The daily routine must be understood, because the loss-producing causes can vary from hour to hour (Ahrens et. al) This constant monitoring makes risk assessment the toughest part of the Risk Management, yet, it always remains paper work without accompanying real time strategies to fight risks that come under Risk Management. The Company begins by enforcing a two tier risk and security regimen. There will be a top Risk Management Committee stationed at the Head office and sub Risk Management Committees at the branch office level.
- The company has a website and a unique database. The website is hosted on a remote server. The database of the company is firewall protected.
- Only limited number of staff members can access the unique database.
- All branch offices have their own space in website where they feed data on day to day basis.
- A back up of all the transaction history is automatically created in once a day. The back up is stored on the proxy server provided by the Networking Agency.
- The CEO of the company reviews the functioning of the company on website once a day.
- A single team is allocated to providing consultancy to one particular type of industry.
- No staff member can access the database of another office.
- The company has a website and all important data are stored on the website. It is accessible to local users with a password and the headquarters is empowered to access data related to any office.
- In the absence of staff working on a project, the time schedules suffer leading to deferment of work and loss of revenue for the company.
- There are no stand bys in the staff. The staff needs to be encouraged to take up cross-duties to decrease dependence on a particular professional. .
- The company forfeited a lot of business to competitors due to its inability to operate in countries that were labeled in “Red” by the headquarters.
- Each office has its own database of the completed works, payments, list of probable clients, calls made, follows ups, information exchanged.
- There is no risk manager who can conduct prioritization of the risks and make an assessment of the loss in likelihood of their occurrence.
- All information entered regarding a particular operation in an office is entered in the website on the evening of each working day.
Besides, the natural risks, the Risk Management Committee asses the risks to the business in case of loss of health or life of the employees. Though the work handled by an employee may not quantifiable totally in terms of money, however, a risk factor is associated with all the seats in the branch. As the manager rises in the hierarchy, the risk associated with this job increases. Hence a lot of emphasis is given to system preparedness where all individual decisions are recorded, documented and monitored from time to time. Risk is also assessed in case of the staff going on a strike. Although it may never have occurred in the past, but such an eventuality can never be ruled out. Risk assessment due to failure of general health of a manager is also calculated on the previous incidents of sickness. Again the average is calculated over a period of five years and the average for a year is calculated. We will study risk mitigation for all the above scenarios in detail in Risk Management.
Risk Management is the practical handling of risks that have been assessed in the Risk Assessment. It is strategic handling of risky situations where the impact of risk is not only lowered but and tackled before they complete the damage through the risk management strategies. Risk management options are generally referred to as risk management options subdivided into avoidance, regulation, presumption, transfer of risk, information and study.
They are concerned with precautions during the risk control phase of the risk management process, also known as inspections. Safeguards fit into at least three categories— technical, management, and operational: The Risk Management Committee keeps itself abreast of all kinds of security threat perceptions by risk assessment and devises and ways and means to manage the risks.
Human Resources: All the managers of the company are ensured for the net worth of business they deliver to per year. This also includes the values of intangibles like knowledge management in apt decision making. To arrive at such figure that may be suggestive of the employee’s worth towards the company, his performance over last years and the difference it made to company operations is calculated. As is obvious, the higher the hierarchy level of a manager the more is his value towards the company.
Risk Management Recommendations
- Based on the information gathered by the Risk Management Committee it creates a report that categorizes all functions in 1. Based upon the threat perception the business processes are categorized into a) Highly risky, b) Risky c) Not so risky.
- Risk Management Charting is done where a matrix of risk and its consequences in with the probable risk of occurrence should be created and discussed. The key implications of matrix should be understood in detail by all members of the Risk Management Committee and further disseminated amongst the members of the staff.
- The Committee suggests that all operations that fall in “Highly Risky” be given priority. Special drills are carried out for staff to meet with contingency in “Highly Risky” category.
- Since most of the operations falling “Highly Risky” category relate to processes carried out with Information Technology it is recommended that additional security software be purchased and put to use. A physical back up of the all the database stored on the server and the proxy server be carried out once in a week and its copies be stored in the CEO’s office. At least one additional secured remote space is rented in another city to store one copy of the weekly database report.
- For all human interaction based “Highly Risky” process categories at least one back up in form different personnel be made. Such a person should be located in different branch. For example for Business Process ‘X’ happening in Office A should be located in Office B.
- Probable course of foreseeable risks be written down. Firefighting and damage control processes are charted. All the key members of the staff should go through quarterly training in risk alleviation and damage control.
- All processes, activities falling in “Risky” category should be identified and a separate risk mitigation plan be charted for all intricate functions. For general risks there can be a general risk mitigation plan.
- For all the processes falling in “Not So Risky” category awareness camps through quizzes, seminars and question-answer session can be carried out. Even if the accompanying immediate risk in this category may be less but sometimes the consequential risk could be more. Hence proper documentation of all processes falling in this category is also needed.
- A third party risk management audit can be carried out for checking preparedness.
- The Marketing, Sales, and Human Resource Department should carry out their internal objective based risk analysis and take initiative to overcome them.
- All other sources that can create risks be listed. For this step small brainstorming sessions can be conducted. The minutes of the brainstorming sessions of the branch offices be forwarded to the Risk Management Committee for necessary consideration and action.
- The Headquarters should also from time to time carry out Enterprise Risk Management Workshop (ERMW). Since company’s policies, top management decisions have a bearing on Enterprise Risk only top notch management of the company need to work out its strategies. In fact, it is a review of the investment decisions of the company to make it risk free from losing out or failing to exploit the opportunities of the market.
- All workstations should have power back up. In case of a major power outage the branch should be equipped with a generator to supply its own power.
- Appraisal: The Risk Management Committee goes through the business processes of the company. It enlists all critical business processes. Thorough documentation of functions and processes of factors falling in categories of risk is carried out. Documentation of processes and the critical areas of threat perception for all branch offices should also be carried out. This includes handling of financial information, core operations, project management, project histories, security information, passwords, records, data files, client records, records of jobs rendered, accounts information, confidential reports and personal details of the employees and their functions. RMC with the help of IT experts takes stock of the firewalls and security policy of the Information Technology. The following information comes up:
- ABC Consulting has two layered Risk Management system. At the head office the company should have a team that analyses the business risks in its international operations including new projects and introduce the element of risk management at the inception operations.
- All branch offices will have a Risk Manager who besides carrying out his other duties will make lists of risks.
- The Risks will then be prioritized according to the probability of occurrence.
- A matrix of likely risks with its impending loss be prepared. The maximum risk prone activity be assigned a numerical value of risk engendered. The risk should be classified as technical, inherent, source based, performance based.
- It is noted that the team that interacts with a new client company immediately divulges the detail to the office and make entries in the database of the company. The database of the company is updated on day to day basis.
- The risk manager tries to foresee as many risks as are possible for a project and discusses them with the team in the Risk Management teams.
- All members of the team in an office are encouraged to share foresee emergence of risks and discuss them in Risk Management meetings. The suggestions are incorporated and put forward in the meetings.
- The company should establish benchmark standards for each management consultancy operations.
- All operations and processes should follow the benchmark standards.
- A diary of risk mitigation strategies be maintained at the headquarters and the branch office and a periodic review meetings should be held to analyze how a management has been handled in the past.
Risk Assessment and Risk Management is as indemnification of its assessment and avoidance of activities that may cause risk to business operations. Too much of exercise in risk management may result in an exponential rise of costs and on the contrary too much of relaxation may make some risks potential hazards to the health of the organization. Risk detection, control and mitigation have to be operated at the optimum levels. Earlier transfer of risk to the third party insurer was considered sufficient as it compensated for the monetary loss of the company if it ever faced a risk. However, with increasing competition risk detection and controls also came to be seen in intangible functions like lack of knowledge, wrong information, bad decision-making, etc. It is discernment of the intangible bits of information that has given new perspectives to the study of risk control. With an enterprise approach, firms have to undergo a sweeping philosophical change, and accept that one unit of risk is the same as any other, no matter where it comes from. All these risks are then gathered into a basket and managed together, creating a portfolio effect, with one risk often offsetting another. This makes the cost of risk less volatile (Wood).
The company is valued in terms of its turnover, its human resource capital, infrastructure, and offices and is insured. There is an effective transfer of financial risk of loss has been transferred to the third party insurance company. As a matter of policy, the company does not pursue activities that may be risky or that may entail a risk in loss of further opportunities of business. For example, the company has listed its countries of operation and it has ruled out working in countries with political instability. The company operates only in countries with trusted and tried business circumstances. We begin the Risk assessment and management carrying out an analysis of risks, their assessment, prioritization, suggesting and adopting course for their mitigation.
Positive and Negative Aspects of the Current Status:
- It is noted that since the company doesn’t work in countries that have even a remote chance of political disturbance, it saves on the money it might have had to develop infrastructure and relationships in an instability prone area. The company believes that it saves itself much and time and trouble by staying away from potential trouble spots. However, this cautious attitude leads to a loss of business in these areas as the market is captured by the competitors. A lot of countries marked ‘red’ by the company headquarters are developing countries showing tremendous scope of business growth but due to the reluctance of the company in analyzing the ground situation of each country from time to time leads to loss of business in millions of dollars.
- The company has efficient data storage and retrieval system where the executives make entries about the latest developments on the local servers as well as the company websites. Data is retrieved from the company website by the executives at the headquarters who store it in print format also.
- The company engages its executives in professional training to update and improve their skills. The training is given by the HR department of the company on the global basis.
- ABC Company faced the maximum risk to its operation by the way of intangible risks that the company took. Being a knowledge service provider and helping companies to make managerial decision-making, if its operations do not go through thorough analysis the company could be incurring a wholesale risk to its reputation.
- ABC doesn’t have benchmarks in Project Management and Consulting. The Consultancy doesn’t have a knowledge
- There are no recommended guidelines for keeping confidential information.
However, it needs to be seen that Risk Management goes much beyond than just indemnifying infrastructure, capital and human resources, operations against loss. Risk management involves true assessment of the severity of loss of organization in particular contingency and taking steps to mitigate it. These are Identification, Measurement and Mitigations steps. The solution consists of three modules.
Risks Identification Module 2. Risk Measurement Module 3. Risk Mitigation Module.
(Basel II – Integrated Risk Management Solution).
Risk resolution begins with the cost-benefit analysis of the various possible safeguards and controls in lowering, to an acceptable level and ends in creating cost efficient safeguards during risk resolution. In the first step itself a sound Risk Management policy develops systems that have total back up and any unforeseen eventuality doesn’t have the potential to bring the activities of the company to a stand still. Risk Management also takes into account such factors as loss of clientele, loss of credibility and reputation in the market and takes steps to ensure that it doesn’t occur
The Risk Management Committee of the company has before itself the daunting task of providing Risk Management to all the global offices of the company performing multiple operations. The Risk Management Committee has to carry out the assessment of real time activities of the company, including their financial implications, suggest recourse, train the company staff to meet contingent needs and bring back the business-critical functions to their intended levels after an incident.
2. Backups and Business Continuity Planning: Contrary to the general perception back up and business continuity planning is not exclusive of Risk and Crisis Management. Rather Backups and business continuity Planning (BCP) is a policy of the company that aims at providing resilience to the company in times of crisis, help its emergence from problem situation, to continue critical business operations in while the company is in crisis management mode and keep the reputation, credibility and performance of the company intact under all conditions. Business Continuity Management is not just about disaster recovery, crisis management, and risk management control or recovery management. It is not just a professional specialist discipline but a business owned and driven issue that unifies a broad spectrum of business and management solutions (BCI). BCP should always be included in the corporate governance policy of a good company.
Unlike Risk Management that prepares the company for all kinds of risk tackling and mitigation, business continuity planning works at strengthening the business processes, take the performance levels far above critical levels and ward of the threat perceptions by a level of working that holds no scope for failure. The second important feature of the Business Continuity Planning is that in case of overwhelming of an organization by a risk, damage, or hazard, while the firefighters are working in restoration process, it doesn’t allow the business critical functions to stop functioning. Business Continuity is the ability of a business to continue its activities in the event of natural or deliberate disasters with minimal disruption or downtime. BC begins with a plan that addresses all risks and secures systems that are vital to business operations (Periera).
The more successful is the implementation of BCP, the better results we see in emergency situations. The situation can be likened to provision of essential items, medical services to a population even during times of civil strife, earth quakes, wars, or any other calamity. The working of International Red Cross is a typical example of BCP. The Red Cross Society works with comparable ease under all circumstances—of peace and war, of natural times or natural calamity. There are civil functions that come to a grinding halt but on the other hand the supply of essential items and services continues under any eventuality. This may lead us to think that Business Continuity Planning, perhaps, is the domain of the only government departments, which is wrong. All companies whether in retail trading, service providing, or manufacturing, government or private can introduce Business continuity planning in its working. It is important at this early stage to clearly dismiss two fallacies regarding Business Continuity Management. The first is that it applies only private sector business and the second is that it is Information Technology Disaster Recovery (BCI).
The approach of BCP is to envisage in advance what actually can go wrong and make preparations to work in the worst possible scenario. Due to this BCP is embedded in the work culture of the organization where it undergoes continuous analysis, evolution and adoption of strategies in the work culture. Bench mark standards of the project handling and management are established and critical functions of company fine tuned continually to make them in conformance.
- As part of its current BCP strategy, the company conducts an introspective analysis of its operations.
- Critical failures of the company are discussed and noted.
- A summary of key operations and key persons executing specific projects is made.
- These summaries are discussed in weekly meetings in local offices and the headquarters.
Positive and Negative Aspects: An attempt has been made to implement the Business Continuity Planning in a half hearted manner. Still a lot needs to be done if the company has to evaluate itself on the bench mark standards of global Business Continuity Plans.
However, consistent and a thorough BCP policy is lacking in corporate governance.
A good BCP works on the perpetual cycle of analysis, solutions designs, implementation, testing and maintenance. This is called the Business Continuity Planning life cycle. Implementing BCP in a company implies that it is able to provides core operations or at least a part of them even during periods of calamity or disaster. In fact the emphasis laid on creation and storage of back up in previously considered Risk Management Plan is part of the Business Continuity Process. In addition to the updated record, BCP requires creation of a Practitioner’ Manual and a Hot site. This manual lists the critical functions of the company and how they are to be carried out in emergency situations.
The preparation of manual requires analysis of basic operations of the company and how they are affected under influence of a failure. The manual suggests solutions as to what is to be done when. For its successful implementation its working should be cleared by the top echelons of management. The management can also make a periodic check to update the manual in light of changes if there are any. Through Impact analysis the management can differentiate between critical and non critical operations of the company. These activities are called Business Mission Critical Activities. In the Solution Design the manual will show how to operate bare minimum software applications for providing the basic services. It is important that whenever expands its business activities due changes must be made in the BCP manual to keep it in conformance to the latest activities. The BCP manual lists in detail that in crippling of operations at the headquarters, or branch site, what location will serve as the Hot Site and what operations would continue to till the restoration work is complete.
The manual will also contain the details of information key officers of the company and will allow its bearer at the “Hot site” to go through functions in emergency situations much like the provision of exit door in vehicles in time of accidents.
BCP Practices in the Company
- There is a manual that lists the names of major clients of the company and a record of their projects. As a project is completed it goes off the record from a Project. The manual authorizes the practitioners to clear the immediate withdrawal of a sum for a particular level of client after checking after briefly verifying his/her physical characteristics.
- The manual also carries the details of the major prospective clients of the company and the level of negotiations reached with them.
- All the ten branches and the head office have a copy of the manual. This will imply that the headquarters will furnish the branch B with security information of branch C to carry out its operations of C from the premises of B in case of a catastrophe occurring at Branch C. In fact the remote hosting of the Server and the proxy server comes in handy.
- The database of the company is supported by a Storage Area Network (SAN).
- In case of catastrophe befalling all ten branches the manual should guide the emergency operating officer to start management operations from a remote site with the help of manual.
- The local and federal laws and regulatory mechanisms for companies must be adhered to while making BCP manual.
- Under no conditions should the target objectives of the BCP manual be different from the company objectives rather they should be a sub-set of the overall objectives and missions of the company.
- The BCP should have a second line of vendors ready to make the supply chain work in case of the approved vendors fail to meet the supplies.
It is not enough to discuss and put in theory the BCP practices. From time to time drills should be carried out to test the workability of the BCP practices. A lot of unforeseen eventualities will crop while implementing the sections of the BCP manual. These practical problems should be incorporated in the manual. Contingency or arrival of calamity should not be first time when BCP manual should be put to use. It should be tried and tested formula and only then it will stand the company in good stead in times of need. Experts suggest that all clauses of BCP manual should be put to thorough use.
BCP Should Help Companies to
Disaster Recovery Planning: For the companies that have an elaborate Risk Management and Business Continuity Planning there is hardly anything left that is not included in the two. But as the name suggests, Disaster Recovery Planning could actually mean plans to emerge from worst come worst scenarios. Disasters can include loss of human life/lives, bombing of a building by terrorists, war, sabotage, extreme natural calamity to create a massive or complete loss of information infrastructure and human capital. Disaster Recovery Plan should always be a part of the corporate governance for it is believed that most f the companies that meet a sudden disaster without preparedness often end up being wiped out of business. But new technologies, especially information Technology do lend resilience to r companies to emerge from back breaking unforeseen events. As the technologies go complex so do the disaster recovery plans and vice-versa. As computers, systems, and networks becoming increasingly complex, there are clearly more things that could go wrong. As a consequence, recovery plans have also become more complex (A Disaster Recovery Plan, DRP).
- Disaster Recovery Plan must be up foremost in the minds of the management. The likely outcome of a robust disaster recover plan is that the company is not only providing its services and products but may emerge as a leader in the post-disaster times. This have been proved by all the Japanese majors that were literally bombed out of their premises during the World War II but rose from shambles, collected whatever little they had and pieced together to become leaders in economy. Very recently some of the most established tourist resorts in South East Asian became the victims of Tsunami earthquake. These resorts not only built up their lost properties but have once again become most visited tourist spots high on the itinerary of a tourist. A disaster could be manmade or natural but results in total annihilation and destruction.
Some of the most common types of disasters are: 1. Floods 2. Sea-storms 3.Earthquakes
- Terrorist Attacks 5.Rioting Wars 6. Meteoritic crash 7. Epidemics Fire Workers Strikes 8. Mass agitations, 9. Depression in economy.
Disaster Recovery Plan has a core team that can set the ball in motion after a disaster from the headquarters.
Disaster Recovery Plan is conceived, planned and acted upon by a core team
The Company is not geared to meet a disaster. The company has not taken any financial liabilities to equip itself for disaster handling. However, the chances of the company meeting a disaster in near future are not ruled out.
A sound Disaster Recovery Plan always requires
- Impact Analysis: This analysis helps a company to truly assess the loss incurred by it under the impact.
- Impact analysis includes assessment of the loss of critical functions and consequential loss of revenue and reputation.
- b) Access of data from a storage area network and immediate start of operations.
- Staff trained in handling disasters. Each branch should have one specialized officer who has training in one area. This particular staff member should be trained at disaster management in an institute that delivers such training.
- This Staff member should further have a core team that can operate under disaster with strong reflex. Strong reflex action is inculcated by regular drills carried out for disaster recovery.
- The first foremost concern of a Disaster Recovery Plan is to save the human lives.
- Once everybody is safe the team should look at data retrieval and to make the branch operational with minimum of software and web application.
- These core team further liaisons with different sections to recover the entire data that of the branch, maybe from a offshore location and start work the work of reconstruction and redevelopment.
- The Disaster Recovery Team should maintain effective communication so that it may convey all necessary information to the relevant people in time. This includes information both external to the company that helps in Disaster Recovery as well as information inherent to the systems working of the company.
- The Disaster Recovery panelists should have strong psychological abilities to motivate other members of the team to take up their work.
- As discussed in Business Continuity Program, the Disaster Recovery Team should be able to establish the as early as possible bare minimum functions of the branch in some other location that could be any of the branches of A, B, C or D that hasn’t undergone disaster.
- Immediate recovery and reinstatement of operations reinforces the faith of the customers.
- 10 To check any information technology failure due to a virus attack, timely updations of virus scan mechanisms are necessary.
- To check IT sabotage, there should be strong firewalls, use of software packages that protect the data and encryption of data while using the network
- The Disaster Recovery Team should show presence of mind in beginning operations at a site that is at an optimum distance from the distance. While proximity to the site of disaster could engulf the new site into disaster like a hurricane a remotely located site may make no meaningful difference to customer service.
Disasters are a rarity. But this doesn’t mean that they don’t happen. Many companies fall into complacent thinking that a particular disaster can happen to everybody else but not to them. Since US had never witnessed an attack on its soil ever since the Pearl Harbour episode in the World War II, the American corporate world had come to develop a certain complacent thinking before 9/11 attacks. The twin tower attacks deep at this sense of complacency and today the companies have a very pro-active approach towards disaster management. A disaster can happen at any place; with any business and it could be of any kind. The best interests of the company lie in making itself immune from disasters. The disaster recovery plan should not be a knee jerk reaction but it should be systemized resuscitation of the system to bring back life to the company. Most of the time when a particular disaster strikes a particular geographical area all the businesses including those of the competitors comes to a halt. But the company that has a strong disaster recovery plan has the power to revamp its operations fastest. The company that starts operations in the post-disaster scenario can win over maximum clientele. This lead to earning a competitive edge over others. In other words disaster could be a blessing in disguise.
- Computer Incident Response Teams: With increasing reliability of business Internet, network technology, computers, there is a need of Computer Incident Response Team at all stations of an organization. The threat to the computer security can be from hackers, competitors, saboteurs, or viruses, and worms. The CIRT has the function to quickly detect an incident that poses threat to the computer network security of the company, arrest its damage effect, and remove it from the network. As a first step towards understanding active response, it is important to get a sense of the range of potential responses to digital intrusions. The more successful is the company, the more its reliability on Information technology the greater the amount of ‘computer incident’ it faces. Knee-jerk reactions can lead to further chaos. Detection of an intrusion or a problem, immediate systemic response and exertion of controls for resumption of business critical functions is the subject of our study. IT operations also most vulnerable to intrusions. They are also becoming primary targets of saboteurs, and terrorists. Most of the planning for risk and disaster management is done from the Information Technology viewpoint. The insurer can only compensate the direct financial loss but it can’t the undo the loss of business, clientele and credibility that is lost during suspension of operations. To meet such an eventuality and not allow it to happen in the first place we have concepts like Risk Assessment and Management, Backup and Business Continuity Planning, Disaster Recovery Planning and Information Assurance. No system that has been devised till today is foolproof to risks and disasters. The more precision controlled systems become more vulnerable to attacks from outside. The solutions lies in decreasing the effects of risks to minimum, devising a system that stems the risks at the beginning, go in the recovery mode as soon as damage occurs and restore the most critical business functions as soon as possible.
At the moment there is no Computer Incident Response Team. The computer professionals stationed locally administer the network security Current Status: Since its inception reporting and mitigating on Computer based risks have been low on the strategic planning of ABC Company. The company relies on firewalls for its websites and password security system in day to day functioning. But with successful operations globally and reputation of the company growing, it becomes susceptible to attack by hackers and terrorists.
Positive And Negative Aspects of Absence of CIRT
Since the company has not developed a Computer Incident Response Team it doesn’t earn any expenditure in its making, training and maintenance. The computer incidents go unreported and the company faces chance of intrusion, hacking and crashing. The company requires.
The CIRT is a pro-active group will keep a watch on the Computer Network security and removes any malevolent incident before it causes any damage.
For CIRT team has following functions have to be defined and executed.
- CIRT should know its area of operation—its constituency.
- CIRT should have well defined goals.
- CIRT should continuously monitor the system.
- CIRT should enjoy the support of stake holders.
- CIRT should dynamically monitor the systems making changes in its functioning.
- Complete view of the organizational hierarchy.
- Total constituency of its activity. This also includes the client company where ABC is working is handling projects.
- The Core group of CIRT is from time to time supported by specialists of the field in which the incident is reported.
- It needs to be informed of all critical operations of the company including that of project handling and implementation.
- Cyber laws, rules and regulations wherever ABC operates.
- Provide 24X7 Computer response.
The company has Management, HR and Software Applications Development division that vigorously puts to use Information technology. A virus or worm can create a systems crash that can result in suspension of business operations.
The company needs a Computer Incident Response Team to mitigate any internal an external threat to the network, or the system. Computer Incident Response Team keeps a tab on all the firewalls and anti-virus softwares. It also watches for any past breach in security and does a post mortem analysis of the problem. Most often hackers begin from where they left last time. Likewise the CIRT too has to perform a check on the past incidents and carry out a check in the entire system whether it is free of from such threats.
The CIRT can be locally stationed at each station or it could be a mobile unit that does continuous surveillance of the systems from remote locations. If the CIRT is a mobile unit then there has to network administrators at the local level, who report to the CIRT any malevolent incident that comes to their knowledge. The CIRT team jumps to the response mode and may ask the local network administrator to quarantine the system or the LAN from the main network. The CIRT team then can come to the help the local network administrator or can guide him from a remote location.
Since CIRT team is always required to stay abreast of latest software technologies and latest threat security threats through continuous training, having more than one CIRT team can raise the cost of its maintenance to unaffordable levels. On the other hand one CIRT team at headquarters may take some time in responding to a dangerous situation thus increasing the lead time between detection and strong. Alternately, a CIRT team can have at least one highly trained professional at each station who further leads the computer professionals of that branch to ward off threats. The locally based CIRT always in better position to understand a problem that crops up near its location as it knows the network configuration in details. A locally based CIRT can also keep the network always under surveillance. This leads to early detection and early mitigation of the problem. Early detection of an incident could lead to manifold decrease in actual cost of risk management. Such a professional will keep on training the local staff to watch and ward network security in a dynamic manner. These days’ third parties are also imparting network security training.
CIRT enjoys the confidence of the Board members of the company and they can update and requisitions any technologies that may be required from time to time to keep the company network and computer security intact. Even the best made network is not immune to external security threats. CIRT will not only help to maintain the computer network in healthy condition but can also look after other computer related problems of the branch.. In addition to providing security to the network a good team keeps the network operational by incurring minimum costs.
CIRT is not an exercise in precaution—an unnecessary burden on the company—it is of primary importance in business operations. Organizations that struggle to respond quickly to security incidents are risking harm to their reputations and lose clients.
Therefore, the main mission of a CIRT is to orchestrate a rapid and coordinated response to computer threats across the organization. (Vijayan) The CIRT is always guided by a strategic plan. The strategies of CIRT also take into account for future proposed business operations. There is manual for operation of CIRT that clearly describes as to who has the precedence at junctures where the work of CIRT and business manager overlap. It has been observed that wherever there is a conflict between the role of business management department and the CIRT, the latter is given a precedent to perform.
- The Future of Information Assurance: Information Assurance is a practice in information technology that helps that provides assurance against risks. Information Assurance activities involve regular monitoring, auditing and analysis of working of networks and computer technology to make them robust and immune to security threats.
But gradually we are moving towards systems that have a fool proof security as an embedded feature and is not an add on feature. The challenge of information assurance is not just providing immunity from hackers and saboteurs but a real time system that has in built features of Risk Management, Business Continuity Programme, Disaster Recovery, and corporate governance to cyber laws of various government. With increase in usage of technology, the systems are becoming increasingly vulnerable to viruses, and hacking. As more and more systems in Information Technology interplay it becomes more and more complex to discern and maintain the system at an optimum security levels. The practitioner of Information Assurance gathers important inputs from the practical experiences and tries to embed security options in a network to create a more robust system. The CIRT works in close coordination with computer professionals at all levels of the companies and makes a compendium of all incidents, threats, or system failures they face. The CIRT helps in mitigating and repeat of Information Technology related problems. However, providing total security may not be just a daunting proposition but a very expensive one also. Since a 100% foolproof system can never be made it would be like chasing a mirage while incurring heavy costs. The Chain’s strength is as strong as its weakest link. Even a minor fissure in an otherwise strong system may give the hackers enough opportunity to disrupt the functioning of the company. A good information assurance practitioner will try to strike a balance between security and costs. He will spend only that much amount of time and energy that is required to a make a system reasonably secure. Information Assurance is both a front end job where it actually comes face to face problem of information security. At the back end it makes those valuable changes and features in their systems that they become more robust and foolproof.
The Costs for Implementing the Risk Management, BCP, Disaster Control and CIRT are listed below:
Cost of Creation and Maintenance of CIRT (three members): 20,0000 USD
Appointment of a Risk Manager: 60,000
Risk Audits 20,000
BCP Manual 10,000
Additional Work Stations and Systems 10,000
An effective response, report and control system for an organization is a system that has a robust Business Continuity Program, Disaster Recovery Plan, Computer Incident Response Team, Information Assurance and Risk Management Program in place. The expenditure on mitigation of risks and damages is kept to minimum by spending only an affordable amount of money. The exercises to make a business function secure and healthy may be never ending quest but the companies will have to learn to balance the two. The nature of business too has an important bearing in the use of risk management and disaster management programs. For software companies, banking and financial institutions the alert levels will always remain high. A minor leak of information especially in departments that outsource may prove to be a costly affair. Emphasis should be laid on data encryption whenever data is too transmitted on the Internet. Remote hosting locations for servers are the most cost effective and security from all kinds of risks. Internet creates as well as solves most of the data related problems.
- Ahrens, Sean et al. General security risk assessment, http://www.asisonline.org/guidelines/guidelinesgsra.pdf accessed on 10th August 2006
- Basel II – Integrated Risk Management Solution http://www.bim.edu/pdf/Aspeak/Intergrated%20Risk%20Management.pdf accessed on 10 August 2006
- Smith, David J., Business continuity management, Good practice guidelines, Business continuity institute, version BCI DJS, 1.0, 01/11/02
- Disaster Recovery Plans, Definition, http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci752089,00.html accessed on 10th August 2006.
- Dittrich, David.& Himma K. E. , Active response to computer intrusions pdf
- Vijayan, Jaikumar, Build a Computer Incident Response Team http://www.computerworld.com/securitytopics/security/story/0,10801,72637,00.html accessed on 10th August 2006.
- Computer Incident Response Team – Operational Standards , Office of Information and Educational Technology, UC Davis, http://vpiet.ucdavis.edu/advancedprojects/IncRespFramework.pdf
- Justin Wood, Risk nirvana,, http://www.cfoeurope.com/displaystory.cfm/1736250
- Periera, Brian, Implementing a Business Continuity Plan, Network Magazine, http://www.networkmagazineindia.com/200208/cover1.shtml accessed on August 10th 2007
Recommended Risk Management Activities
- Appointment of a Risk Manager
- Risk Management Committee headed by the Risk Manager at the Company Head office
- Risk Management Committee’s at Operational Offices
- Identification, Analysis, Control of Risks—Weekly Process
- Weekly Reporting from operational office to Head Offices
- Setting up of Process Benchmarks
- Inter-departmental Meetings for Risk Anticipation, Evaluation and Control
- Carrying out activities with Benchmarks Standards
- Updating of insurance records
- Categorisation of Risks—in a) Highly Risky, b)Risky and c)Not so risky categories
- Risk Management Audits
Recommended Business Continuity Activities.
- Chalking of BCP strategy
- Implementation of BCP Lifecycle of
- Creation of Business Continuity Plan Manual
- Periodic checks for adherence to BCP Manual
- Regular professional training
- Identification of Hot site for handling emergency situations
- Listing of all potential Disasters
- Creation of Disaster Recovery Plan
- Assignment of Functions to Operate Critical Functions
- Listing of Business Critical Functions and its availability to important functionaries
Computer Incident Response Team
- Creation CIRT
- Defining its constituency
- CIRT—strategy and goals
- Continuous Monitoring of CIRT
- Training in Incident Control to operational staff